How to install a SWITCHpki QuoVadis certificate in the Apache HTTP server

For the Apache HTTP server and mod_ssl, the SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile directives are used to configure the server's certificate. There are two possible options, which apply to both Apache HTTP server 2.2.x and 2.4.x:

Server certificate and intermediate CA in the same file

Requires Apache HTTP server versions 2.4.8 and later

The SSLCertificateFile and SSLCertificateChainFile can refer to the same file name provided that this file includes both the server and the intermediate CA certificate (concatenated, in PEM format). In this case, the configuration looks like this:

SSLCertificateKeyFile   myserver.key
SSLCertificateFile      myserver.crt.pem
SSLCertificateChainFile myserver.crt.pem
# SSLCertificateChainFile is needed for the Apache HTTP server up to 2.4.7

A properly formatted file for use with this option can be retrieved from the SWITCHpki download page, where it is listed as Server certificate with chain in PEM format.

The advantage of this option is its future proofness: with the Apache HTTP server 2.4.8 and later, the SSLCertificateChainFile directive is obsolete (it is deprecated in favor of a more versatile form of the SSLCertificateFile directive, which can include intermediate CA certificates as well, making it possible to use a single configuration directive and file).

Enabling OCSP Stapling

Apache supports OCSP Stapling since version 2.4. Enabling OCSP Stapling is highly recommended. (Also see this IAB Statement on OCSP Stapling.)

The following instructions describe how to enable OCSP Stapling in Apache. For detailed information on the various statements and for specific configuration needs, please consult the Apache SSL Documentation.

DISCLAIMER: SWITCH provides these configurations on best effort. Please carefully check whether this configuration suits your needs.

Red Hat Enterprise Linux 7, CentOS 7, and Fedora 20

You need to add the following configuration to the file /etc/httpd/conf.d/ssl.conf:

# OCSP Stapling

SSLUseStapling on
SSLStaplingCache shmcb:/run/httpd/ssl_stapling(32768)
# Prevent browsers from blocking access if an OCSP query is temporarily not possible.
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
SSLStaplingFakeTryLater off

You need to add these statements before the following existing lines:

##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>

Ubuntu (14.04LTS), Debian (8 "jessie")

You need to add the following configuration to the file /etc/apache2/mods-available/ssl.conf:

# OCSP Stapling

SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(32768)
# Prevent browsers from blocking access if an OCSP query is temporarily not possible.
SSLStaplingReturnResponderErrors off
SSLStaplingErrorCacheTimeout 60
SSLStaplingFakeTryLater off

You need to add these statements before the following existing line:

</IfModule>